Two recent developments mark a significant inflection point for consumer privacy compliance in the United States. California Attorney General Rob Bonta announced a $12.75 million settlement with General MotorsΓÇöthe largest penalty ever imposed under the California Consumer Privacy Act (CCPA). At the same time, House Republicans introduced the SECURE Data Act, signaling renewed congressional momentum toward a comprehensive federal privacy framework. Together, these events underscore both intensified state-level enforcement and the growing possibility of federal preemption that businesses handling consumer data should be prepared to navigate.
The GM settlement centers on alleged violations of the CCPA's data-minimization principle in connection with the company's sale of customer data. The size of the penalty reflects California's willingness to pursue substantial monetary recoveries where regulators conclude that collection and downstream sale practices exceed what is reasonably necessary to deliver the products or services consumers expect. The action sends a clear message that data-minimization is not a hortatory guideline but an enforceable obligation, and that arrangements involving the monetization of consumer information will draw particular regulatory scrutiny.
On the federal front, House Republicans introduced the SECURE Data Act on April 22, 2026, marking the first major effort of the 119th Congress to establish comprehensive consumer privacy rules and a unified national regulatory framework. While the legislation remains in early stages, its introduction reflects continued bipartisan interest in resolving the patchwork of state privacy regimes through a single federal standard. The scope of any preemption provisionsΓÇöand how they would interact with established state laws such as the CCPAΓÇöwill be a critical area to monitor as the proposal advances.
For businesses, the practical implications are immediate. Companies that collect, share, or sell consumer data should reassess their data-minimization practices, audit vendor and third-party data-sale arrangements, and confirm that internal compliance programs reflect both current state requirements and the potential contours of a federal regime. Documentation of purpose limitations, retention controls, and consumer rights workflows will be especially important as enforcement intensifies.
This article is provided for general informational purposes only and does not constitute legal advice. Clients facing specific privacy compliance questions should seek tailored guidance from qualified counsel.